Fulfilling Your Role as DPO.
If you have been appointed your school’s Data Protection Officer (DPO) you are probably wondering what you need to do next. To help you understand the role and responsibilities of being a DPO, we will run through everything you need to know about being your school’s DPO.
For more information about WHO can be appointed DPO have a look at our previous blog explaining the appointment process .
What does the GDPR say that you will need to do?
Article 39 of the General Data Protection Regulation (GDPR) states that the tasks of the DPO include:
“(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other […] data protection provisions;
(b) to monitor compliance with this Regulation, with other […] data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance […];
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing […] and to consult, where appropriate, with regard to any other matter.”
But what does this really mean?
In simpler terms, as your school’s designated DPO, you will be required to:
- ensure that your school complies with the GDPR;
- collect information about your school’s data processing activities;
- analyse and check that your school’s data processing activities are compliant;
- advise senior members of staff as to your school’s compliance;
- ensure all school staff that are involved with data processing are adequately trained;
- educate all school staff as to the GDPR compliance requirements;
- serve as a point of contact between your school and the GDPR supervisory authorities;
- communicate with data subjects to inform them about how their data is being used;
- maintain comprehensive records of all data processing activities conducted by your school.
But where do you start?
We understand that these tasks may sound quite daunting to start with. As a first step, you should carry out some of your own research into the requirements of the GDPR and the specific responsibilities of a DPO.
We have a number of free resources to get you started and there are plenty more available from the ICO.
Who can help you?
Throughout your role as DPO you will be required to engage directly with the senior management of your school. If you haven’t done so already, you should set up a meeting as soon as possible with your SLT to discuss your responsibilities and ensure you understand how data is controlled and processed in your school.
The GDPR requires that:
- You report to the highest management level of your school;
- You operate independently and are not penalised for performing your role as DPO; and
- Adequate resources are provided to you to enable you to meet with your GDPR obligations.
It is therefore important that you have the full support and assistance of your SLT.
You will also need to engage with your school’s operational staff who manage personal data on a day to day basis. This may include:
- network managers;
- SIMS managers;
- office managers;
- catering managers; and
- teaching staff (particularly heads of faculty).
It is important to communicate with your school’s operational staff as they will be the best people to help you to understand the mechanisms and processes used by your school to control and process data on a daily basis.
Now that you understand your role, what do you need to check?
As a starting point, it is a good idea to begin checking the mechanisms that are currently in place in relation to personal data at your school. You should carry out a number of checks so that you are able to answer the following questions:
Where is your school’s personal data stored?
- For example, it may be stored in filing cabinets, email messaging systems, computer hard drives or on video and audio recorders.
- Remember to consider all written, audio and visual data.
How is personal data used in your school?
- Think about how the data is collected and recorded; how long will the data be stored; when will the data be deleted; what is the legal basis for processing the data? How does your school collect and record consent (where required) to use the data?
Does your school have a data protection policy in place? Is this being followed by ALL staff?
- Consider whether your school’s staff are correctly storing and using personal data.
- For example, if your school’s data retention policy is to keep a pupil’s personal data for one year after they have left the school, is this policy being followed?
- Are data breaches being reported?
What training is currently offered to school staff on data protection? Has this training been recorded?
- Is your school offering data protection online courses, training days etc?
- Does your school have a record of all data protection training?
Do ALL school staff understand the importance of abiding by data protection laws?
- Ensure that you consider ALL staff from the head teacher to the school cleaners.
TIP – it is good practice to keep a record of your answers to the above questions! Evidence is beneficial for audits and also during investigations if a data breach actually occurs!
How can you use GDPRiS to make your role as DPO easier?
GDPRiS provides a solution to help make your role as your school’s DPO easier. Here are just a few of the features that GDPRiS offers that could help you fulfil your role:
- User Management – all staff members will be provided with a login to our system. This will allow you to track their data protection activities.
- Suppliers – many well-known school suppliers will be pre-populated on to our system and will have already recorded the data that they use and the reasons that they need to process this data.
- Data breaches – our system allows staff to report potential data breaches, giving you a central place to manage, investigate and where appropriate take the necessary actions to notify the supervisory authority and any individuals involved (where required).
- Self-Assessment Questionnaires (SAQs) – we provide a number of SAQs for your staff to answer allowing you monitor compliance within your school.
If you would like more information about our system, please do not hesitate to contact our team.